audit Command

Purpose

Controls system auditing.

Syntax

audit { on [ panic | fullpath] | off | query | start | shutdown }{-@ wparname ...}

Description

The audit command controls system auditing through several keywords. You must include one keyword each time you enter the command. The start keyword and the shutdown keyword start and stop the auditing system and reset the system configuration. The off keyword and the on keyword suspend and restart the audit system without affecting the system configuration. The query keyword lets you query the current status.

The auditing system follows the instructions established in the following configuration files:

The -@ option is not supported when you run it in a WPAR.

Keywords

Item Description
start Starts the audit subsystem. This keyword reads the instructions in the configuration files and performs the following tasks:
role auditing
Audits all roles currently active in to the system, if they are configured in the roles stanza of the /etc/security/audit/config file.
object auditing
Writes the audit event definitions in the /etc/security/audit/objects file into the kernel to define the object auditing events.
Note: When the parent directory of one of the file-system objects does not exist, the flag fails and issues an ENOENT error.
event auditing
Writes the audit class definitions in the /etc/security/audit/config file into the kernel to define the audit classes.
bin auditing
Starts the auditbin daemon according to the configuration information in the bin stanza in the /etc/security/audit/config file, if the start stanza contains binmode=on.
stream auditing
Invokes the audit stream commands as defined in the stream stanza in the /etc/security/audit/config file, if the start stanza contains streammode=on.

Attention: Avoid invocation of stream auditing from /etc/inittab.

user auditing
Audits all users currently logged into the system, if they are set up in the users stanza of the /etc/security/audit/config file.
audit logging
Enables the audit logging component as defined in the start stanza in the /etc/security/audit/config file.
audit ranges
Writes the Trusted AIX® audit ranges into the kernel if they are set up in the WPAR Audit Ranges (WAR) stanza of the /etc/security/audit/config file.
global-initiated WPAR auditing
Audits the WPARs, if they are stored in the WPARS stanza of the /etc/security/audit/config file. The auditing can be used only from global WPAR by specifying the -@ wparname parameter in the command.
shutdown Terminates the collection of audit records and resets the configuration information by removing the definition of classes from the kernel tables. All the audit records are flushed from the kernel buffers into the bin files or audit streams, according to the specifications for the backend commands, which are contained in the /etc/security/audit/bincmds file for binmode auditing, and in the /etc/security/audit/streamcmds file for streammode auditing. The collection of audit data stops until you give the next audit start command. When you use the -@ wparname parameter with this keyword, auditing is disabled for the specified WPAR.
off Suspends the auditing system, but leaves the configuration valid. Data collection pauses until you give the audit on command. The -@ option is not supported with this keyword.
on [panic | fullpath] Restarts the auditing system after a suspension, if the system is properly configured (for example, if the audit start command was used initially and the configuration is still valid). If auditing has already started when the command is given, only bin data collection can be changed.

The -@ option is not supported with this keyword.

If you specify the panic option, the system halts abruptly if bin data collection is enabled but cannot be written to a bin file. The panic option is not supported when you run it in a WPAR.

If you specify the fullpath option, the FILE_Open, FILE_Read and FILE_Write auditing events capture the full path name of a file.

query Queries the auditing status of the audit subsystem. If you specify the -@ option, this keyword queries the auditing status of a global initiated WPAR. This keyword displays the current status of the audit subsystem in the following format:
auditing on {panic | fullpath} | auditing off
  
bin manager off |  is process number pid
 
audit events:
    audit class: audit event, audit event...
audit objects:
    object name: object mode: audit event 

Security

Access Control

This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed

Mode File
r /etc/security/audit/config
r /etc/security/audit/objects
x /usr/sbin/auditbin
x /usr/sbin/auditstream

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To start the audit process, configure the audit system as described in "Setting up Auditing" in AIX Version 7.1 Security, and add the following line to the system initialization file (the /etc/rc file):
    /usr/sbin/audit start 1>&- 2>&- 
    The audit process starts, as configured, each time the system is initialized.
  2. To start the audit process for the WPAR named wpar1 from the global WPAR, enter the following command:
    /usr/sbin/audit start -@ wpar1
  3. To terminate the operation of the auditing process, enter the following command:
    /usr/sbin/audit shutdown
    Data collection stops until the audit start command is specified again. The configuration of classes in the operating system kernel is lost.
    Note: The audit shutdown command should be in the /etc/shutdown file as well.
  4. To terminate the auditing process of the WPAR named wpar1 from global WPAR, enter the following command:
    /usr/sbin/audit shutdown -@ wpar1
    Data collection stops until the audit start -@ wpar1 command is specified again. The configuration of classes in the operating system kernel is lost.

    Remember: The audit shutdown command, without any options, shuts down the auditing process of all WPARs started from the global WPAR.

  5. To suspend the audit subsystem, enter the following command:
    /usr/sbin/audit off
  6. To restart an audit process that was suspended by the audit off command, enter the following command:
    /usr/sbin/audit on
    The suspended state ends and audit records are generated again, as long as the system is configured correctly.
  7. To display the current status of the auditing system, enter the following command:
    /usr/sbin/audit query
    The following is an example of an audit query status message:
    auditing on
     
    bin manager is process number 123
     
    audit events:
        authentication- USER_Login, USER_Logout
        administration- USER_Create, GROUP_Create
     
    audit objects:
        /etc/security/passwd :
          r = AUTH_Read
        /etc/security/passwd : 
          w = AUTH_Write 
    The query informs you that audit records are written when the specified users log in or log out, when the specified administrators create a user or a group, and when the system receives an authorized read or write instruction for the /etc/security/passwd file.

Files

Item Description
/etc/security/audit/bincmds Contains shell commands for processing audit bin data.
/etc/security/audit/config                Contains audit configuration information.
/etc/security/audit/events            Lists the audit events and their tail format specifications.
/etc/security/audit/objects            Lists the audit events for each file (object).
/etc/security/audit/streamcmds    Contains auditstream commands.
/etc/rc Contains the system initialization commands.
/usr/sbin/audit Contains the path of the audit command.